Business must take cyber risks seriously

Australia’s security agencies have sounded a warning that our biggest companies and infrastructure networks are not prepared for the risks they face in the frontline of an undeclared, endless cyber war.

The director-general of the Australian Security Intelligence Organisation,
David Irvine
, told The Australian Financial Review earlier this week that he and senior Defence Signals Directorate officers have been personally calling on chief executives and boards to warn them of the damage that malicious cyber attacks can do to their bottom line.

ASIO says cyber attacks are leading to the leaking of confidential information from governments, the private sector and ordinary individuals on a massive scale.

Yet some Australian companies have told the AFR they understand the risks and are taking action.

Westpac
chairman
Lindsay Maxsted
, who sits on the BHP and Transurban boards, says his companies are attacked “all the time" even though at Westpac a large part of its information technology spending is on security.

A study commissioned by Hewlett-Packard in October found that the average annual cost of cyber crime among a sample of 33 Australian businesses was $3.2 million per year.

Yet our security agencies say despite the high awareness of risks, Australian companies are still not doing enough to protect their systems from being infiltrated.

This is especially true of those who control water, power and infrastructure networks as the tempo of this undeclared war could be stepped up into a major assault at a moment’s notice.

Related Quotes

Company Profile

As reported in this newspaper, cyber attacks have become a feature of the international scene. After a 2007 diplomatic dispute, Russia launched a devastating cyber attack on Estonia, crashing key networks. A year later, it made a similar attack on Georgia to flood news, radio and TV networks with propaganda.

In 2010, the US and Israel launched a sophisticated attack that destroyed parts of Iran’s nuclear program. Iran retaliated by attacking the websites of US financial institutions as well as computer networks in Saudi Arabia, an American ally.

These cyber battles were undeclared at the time and went largely unnoticed by the public. But they potentially cause as much damage to property as old-fashioned wars of bombs and rockets, particular as computers now control almost all aspects of our physical infrastructure, interlinked by the ubiquitous internet.

The corporate world is being systematically attacked for commercial advantage.
BHP Billiton
and
Rio Tinto
’s networks were reportedly attacked by Chinese hackers, and hackers also infiltrated seven law firms in Canada that were working on BHP’s failed bid for Saskatchewan-based Potash Corp in 2010.

Security concerns resulted in the federal government last year banning the Chinese telecommunications giant Huawei from participating in the rollout of the national broadband network. The action was taken on the advice of ASIO, although the agency did not make its reasons public at the time. ASIO is also concerned that as state governments put up their infrastructure assets for sale, cyber attacks on critical infrastructure will increase.

Cyber risks haven’t stopped recent deals, however. In November, China’s State Grid agreed to pay $500 million for a 41.1 per cent stake in South Australian electricity supplier ElectraNet from the Queensland network owner Powerlink. This is the first large acquisition of a utility by a Chinese company since the federal government blocked Huawei from working on the NBN.

ASIO has taken the unprecedented step of publicising its concerns on this issue because it wants to make sure that governments, the corporate world and public sector ensure cyber security systems can handle major blows from hostile foreign powers, companies or terrorist groups.

ASIO is also pushing data retention laws that would require communication providers to store basic information on data exchanges for at least two years. It also wants reforms to communication and privacy laws in order to provide an additional level of cyber insurance.

Governments should be mindful of the consequences of privatisation with regard to the security of critical infrastructure. Privatisation most likely will lead to more efficient and competitive service provision, but the unintended consequence may be that privatisation makes it more difficult to protect networks from attack.

Corporate executives and directors also need to ensure that their companies comprehensively assess the risks and take action to guard against cyber warfare.

However ASIO’s demands for more regulation may simply impose yet another layer of red tape on Australian companies without solving the problem.

Government should be wary of addressing cyber security threats through increased regulation.

We need to strike a balance between sensible regulation and encouraging Australian companies to find their own solutions to these growing risks.